Posted
by
Soulskillon Monday March 28, 2011 @04:32PM
from the par-for-the-course dept.

Julie188 writes "The McAfee.com website is full of security mistakes that could lead to cross-site scripting and other attacks, researchers said in a post on the Full Disclosure site on Monday. The holes with the site were found by the YGN Ethical Hacker Group, and reported to McAfee on Feb. 10, YGN says, before they were publicly disclosed to the security/hacking mailing list. Embarrassing? Yes, especially given that the company aggressively markets its own McAfee Secure service that is supposed to assure consumers that McAfee has scanned a website and found it to be safe."

At my former employer, I was in charge of managing the McAfee Secure scans (but not remediation) for all of our external sites. The maddening thing for me was that we got a ridiculously large amount of time to remediate any vulnerabilities before the Certified logo would show any issues (30 days comes to mind). Additionally, the scans only took place once per month. You could have a vulnerability out there for up to 60 days without ever getting addressed and everything shows up as fine and dandy, McAfee Secure Certified (tm). IMHO this is unacceptable and gives a false sense of security to the end-user. It also makes it damn hard to motivate the people in charge of patching and shoring up their piss-poor system admin practices to actually get off their damn asses and do something about it. A typical conversation after discovering a vulnerability went something like this:

Me: McAfee Secure found these problems. *Sends scan report*Joe Sixpack SysAdmin: Meh, I've got a whole month before I need to remediate these issues, so it's not really a vulnerability yet. I'll wait until day 29 and a half to look at it, then freak out and point the finger back at you when I can't get it fixed in under 10 minutes.Me: *facepalm*

Needless to say, when I see a McAfee Secure Certified logo on any site, I basically ignore it at best or altogether avoid the site at worst. It's a joke. Only less funny.

On the positive side, the scan reports are very pretty. A hell of a lot better than McAfee Vulnerability Manager's sh*t reports.

I'm also a former employee and posting as AC for anonymous reasons. Note that all but two of the vulnerabilities are from the download site. That site is comprised of a number of servers that exclusively host the DAT files and updates. Not the website itself. The download servers are also supported by a development team that don't know anything about web security so it doesn't suprise me in the least that their site is the one with the vast majority of issues.

Do they offer training on that? They just might get people to pay them for the opportunity. Of course, one the training is over, they will never leave their home, so the you'll need to train a whole new batch.

These are all minor security problems... some of which are so minor one could debate whether they should even be classified as security problems at all. Really, this is much ado about little. Any big website will have things like this. Even security experts make mistakes, and most of the staff at McAfee, as with all other big companies, aren't security experts.

You seem to have a lack of understanding of how enterprise IT/IS actually works. You seem to think people in the marketing dept actually admin the web services for the company? In most modern medium to large (to ginormous) companies, there is a group in IT that is specifically tasked with managing the company's web presence including servers and software. A security group determines policies and practices that the Web group must follow. That same security group vets the services *before* going live and cont

So do I. And because I work in a place larger than a popsicle stand, I know that minor security issues like this are par for the course in marketing material. I also know that security analysis is expensive. And to top it off, I know that organizations, even security organizations, don't do well if they waste money on minor issues th

McAfee shouldn't be absolved of their mistakes, but those mistakes should be put into perspective.

If McAfee did happen to make an awesome vulnerability checker (okay, I'll wait while you stop laughing....), then the fact that they simply did not use it on their own site doesn't mean that the product fails, it means that they don't understand how failures in their public presentation can be damaging.

Of course, I don't know if the site checker fails, because I won't go near a McAfee product unless my workplac

Why are you so adamant to absolve McAfee of their own stupidity? If a car is advertised as the fastest car ever, then that's ok because their marketing department isn't full of mechanical engineers?

Welllll if you'll indulge me while I play Devil's Advocate for a moment...

It's more like Starbucks claiming that they make the best coffee ever, then having it scientifically proven that their tea is terrible.

It is humourous, but unless I'm really mistaken about the products they offer (and since their site is down I accept the risk that I may be corrected on this), you cannot install McAfee on a weberver and expect it to tell you that a cross-scripting vulnerability exists.

But the thing about McAfee is that they *do* market themselves as "security experts". Therefore they should be held to a higher standard.

Go ahead and hold them to whatever standard you like. The fact is, computer security in general is completely unmanageable. ALL solutions fix a certain set of problems while not fixing (or creating) others.

Everything I have seen points to an inescapable conclusion: you cannot protect any network of significant size from intrusions and leaks. Nobody has accomplished

If they were just another big company that would be fine but when they can't even secure themselves while they're selling the service of securing others it deserves all the ridicule that the people here can dish out.

I can understand other companies not considering security to be a number 1 concern, they've got other things to worry about but a security company has no such excuse.

Yes. Slashdot's source code is "disclosed." Do you call that a threat?

First of all, no it's not. Slashcode's source code is disclosed, because it is an open source project.
And Slashdot has code in common, but they aren't 100% equal.

Second, that's intentional disclosure, meaning the code has probably been reviewed to ensure it doesn't contain anything sensitive. There's a big difference between what goes in an intended disclosure and accidental leak.

So some of slashdot's code is available. The same is true of McAfee's marketing website. Minor.

You call XSS in a marketing site 'critical.' I would love to know what you don't think is critical. I would bet real money that such a problem is nowhere near the high end of the spectrum of most companies' security threat profiles.

it seems to me that intel has their stuff together on most things (market domination, monopolistic practices, aggressive vendor bullying, and making decent chips once in a while)i never cared for mcafee's products, but i thought about giving them another shot: if intel thinks it's worth money, maybe it is, right?

yet every time i hear the name it's something bad. it was just last year that the false-positive on svchost.exe took down hospitals, schools, and even a few thousand of intel's own P

the company aggressively markets its own McAfee Secure service that is supposed to assure consumers that McAfee has scanned a website and found it to be safe

There is a difference between whether a website is vulnerable to attacks and whether it's unsafe to view. If I'm going to open a page in my browser, I care whether or not the page is fact dangerous to view at that point in time, not whether it could potentially be made dangerous.

This is not to say I don't give a damn about XSS vulnerabilities and the like. It's simply a different (albeit related) topic.

Part of getting the McAfee SECURE Certification IS passing a vulnerability check, they pass there own check, so clearly their check isn't that good.

"With McAfee SECURE for Websites, your site is scanned daily for thousands of hacker vulnerabilities. McAfee, the largest dedicated security company in the world, does this remotely, without any need for expensive or complicated hardware or software. Once certified to this high standard of security, McAfee SECURE customers showcase their safety status by display

"There is a difference between whether a website is vulnerable to attacks and whether it's unsafe to view. If I'm going to open a page in my browser, I care whether or not the page is fact dangerous to view at that point in time, not whether it could potentially be made dangerous."

Sort of like saying you're perfectly happy to drive over bridges that have a decent chance of collapsing, so long as they haven't collapsed at that time? Isn't the issue that a site which is perfectly safe to browse but vulnerabl

Maybe it's just semantics. I'd consider most website vulnerabilities to be "unlocked pins" in your example. The reality is that unlike a bridge that has just fallen over, a website which has just been compromised is not easy to spot. I don't trust any tool to detect a compromised website instantly, therefore the potential for compromise seems the most reliable indicator of danger. As for whether McAfee does an acceptable job of any of this, I doubt it.

Back about ten years ago, you used to be able to log into McAfee's FTP server and download their latest for-pay products. IIRC the username was something like "mcafee" and the password was "321". My former boss was a warez puppy and I gather this was commonly known on the scene.

In hockey, the goaltender will intentionally "show" a spot as open, usually the five hole (the space between the legs). The player with the puck, seeing this, will often shoot for the five hole, only to have the prepared goalie close the five hole and stop the puck.

McAfee being what it is, could it be that they are "showing" these security holes in an attempt to goad the black hats into trying their latest tricks and toys on McAfee, who could in turn use that data to reenforce their protection software?

Long story short -- their ActiveX control exported a wrapper around the Win32 ShellExecute API. What could possibly go wrong? The XSS thing in their help here seems to be of the same "do the simplest thing, damn the consequences" variety; it looks

That fits my limited observations pretty much exactly. We looked at their enterprise stuff during the same project and were completely confused why the straightforward, correct stuff over there didn't make it into the consumer version.

McAfee's business model has been "security through rendering your computer nearly inoperative" for over a decade now, anyway. Just wait until the website gets pwned and stops working, and it will have been successfully "protected".

...but I love the smell of irony in the morning...afternoon...whatever.

It kinda reminds me of that NOMEX factory that burned down...well, isn't that odd. I remember hearing about that at a safety meeting a couple of years ago, but now I can't find any links to post, none at all...was it all a dream? A deliciously ironic dream?

(I could only wish my dreams were more exciting than creating my own safety meetings in my head...*sigh*)

This is news? McAfee hasn't been secure or even any good at anti-virus since... like... the DOS days. If they ever were. Wern't they the ones who put out a DOS anti-virus kit? Or am I thinking of someone else? If it's someone else, then McAfee has always sucked.

1) I was making the point that McAfee hasn't been worth a shit since before the turn of the millienium OR they haven't ever been worth a shit.2) Aggravating douchebags like yourself who aren't smart enough to figure out number 1.

I'm not sure how you people live with this crap.. I get customers all the time whose prophylactic safety net has malfunctioned on them, leaving them without access to the web, or their email.. Yes, I guess not being able to surf and check your email is possibly the safest route for them anyway.. So now you got these dudes looking for problems that will make the next version of funware better, and more complicated, and prone to creating people who can't figure out how come they can't get to Facebook.. The wh

Sorry, with this last one I hope they go bankrupt....you should be held accountable for your actions, and when you say you are about security, and you do not do the work on your own website...i think it should bring their end. MHO